Clearning Steps, Did I miss anything for rootkit/trojan combo

Been a while since I’ve had to deal with this type of issue, and the first time on Windows 7. I believe all of it stemmed from a bad download of CamStudio starting 24 hours ago.

Avast realtime scan detected win32: trojan-gen which was moved to chest, then a bootscan which detected win32:rootkit-gen[Rtk] which was also successfully moved. Two files had trouble scanning, one a google earth kml file as well as a very old (1990s) zip file with one Word file corrupted.

Performance Optimizer .dlls were the infected files (one of slew of crap programs loaded with CamStudio) and I proceeded to manually clean registry and other files related to that app.

Ran RKill which reported clean and then TDSSKiller (rebooted after first scan to scan loaded modules) which also reported clean.

Am I Botted? reported a different rootkit/trojan with about a hour difference timestamp 24 hours ago (TDSS-TDL_Generic and Multi_CriminalClick_MugaVuga).

As of right now, TDSS-TDL is the only one being reported on AM I Botted? with a timestamp from yesterday morning.

Have rebooted multiple times since the cleaning, and changed passwords for the accounts I logged into during the known time the computer was having issues.

Anything I should have done differently? Anything additional I should do now to make sure the system is cleaned, particularly when dealing with the rootkit?

Thanks,
-B

https://forum.avast.com/index.php?topic=53253.0

Thanks for pointing me to the sticky, you would think I would have read those first… :-\

Attached are the logs. After cleaning with MAMB successfully, https://amibotted.comcast.net/ is still reporting TDSS-TDL_Generic is active, having gone from Times Seen: 10 to Times Seen: 18 as of 10:45PM EDT on 9/6. Few other posts appeared on the web on 9/5 with the exact same situation, but none prior, so this appears fairly new.

Thanks again to all the volunteers…

Am I botted is part of the Comcast suite, and obviously they would like you to buy their services. As neither TDSSKiller, AswMBR or FRST show any signs of TDSS then methinks that is a bit of a scam

Are you experiencing any problems at all now the adware has gone ?

I keep receiving the botted notice screen. I have downloaded the latest version of my anti-virus software, password blocked my wi-fi service and am running RUbotted software on both computers. I also run the Microsoft anti-botware you recommend in the pop-up screen. I have no botts according to all these software programs, yet the screen keeps popping up. I'm beginning to think it's Comcast Spam. Is there a problem with this new version you're operating that the window gets "stuck" or are you trying to get me to buy into some software you're selling? Either way, it's very annoying. What can we do about it?
From the Comcast forum, there was no answer to this from Commcast

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKLM-x32\...\Run: [] => [X] Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File CHR DefaultSearchKeyword: Default -> A08DCD9149129883BE77D58A74A790ABBAB59F203C557C85BEF08C392A234F74 CHR DefaultSearchURL: Default -> E876A5EDB7996E168DEB7974D20A05A9CD806E9FE43AF104FEE2F34789AFB1EF EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Didn’t have any problems at all; once I saw the adware installed, I uninstalled everything from the CamStudio bundle. A couple of weeks later, 9/5, Avast realtime scan detected win32: trojan-gen which was moved to chest, then a bootscan which detected win32:rootkit-gen[Rtk], which was also moved. No performance issues/adware/browser takeovers/excessive CPU/memory use.

Then the ComCast email started and when visiting amIbotted, it showed a different trojan/virus combo. After using the various software above, scans are coming back clean, but amibotted is still reporting TDSS-TDL_Generic now stating this morning was latest active, and new one, Rerdom_CriminalFinancial_Asprox. The second is interesting, only four hits on the Web for it, and all related to ComCast. Three have been in the last two days and one from May. One think more hits would be shown?

Attached logs below.

Just found this thread:

http://www.bleepingcomputer.com/forums/t/547159/constant-guard-reporting-bots/

Over the last two days, Constant Guard has been notifying me of a TDSS-TDL_Generic.
I've been having a very similar issue.

A fairly long list of others that have the same matching iambotted viruses listed, and the same results after multiple scans with various antivirus software packages.

How often would something like this be at the router level? As that even possible with the reported viruses?

TDSS is an MBR infection and does not (to the best of my knowledge ) affect the router. Routers can be hijacked by DNS changing software but if you have any password on it bar the default then you are safe. Also Avast would shout if you went to somewhere murky :slight_smile:

Otherwise your system looks clean, if you are happy I will tidy up and remove my tools

Looks like others getting reports on amIbotted also are now clear. Funny enough, so am I. Not sure what to make of the mix of results, but appreciated the guidance here.

All set from my end. Thanks to the Avast! for this forum, the volunteers and in particular essexboy.

Cheers,
-B

No problems that is why we are here :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

Great, all set.

Comcast is posting this:

Dear Xfinity Internet Customer,

We recently sent an email between September 4th and 8th notifying you of a possible infection on your home computer or network. We have determined that this Constant Guard notification was most likely sent in error due to an inadvertent update from the provider of our malware detection service. We sincerely apologize for any inconvenience this may have caused, and we are working with our provider to ensure this doesn’t happen again. We take matters related to Internet security and privacy very seriously and will continue to ensure that our customers have a safe and secure Internet experience.

While we believe that the notice you received was sent in error, it is still very important that you make sure your computers and home network are clean and secure. For tools and information about online safety, visit: https://constantguard.comcast.net. You should assume any other Constant Guard notification you have received is accurate and follow the instructions in it for cleaning and securing your home computers and network.

Sincerely,

Constant Guard from XFINITY

Thanks for the update :slight_smile: